You want to log the total number of TCP sessions.
You can configure the router to log the total number of TCP sessions, rather than just the number of packets, with the following set of commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 122 permit tcp any any eq telnet established Router1(config)#access-list 122 permit tcp any any eq telnet Router1(config)#access-list 122 permit ip any any Router1(config)#interface Serial0/0 Router1(config-if)#ip access-group 122 in Router1(config-if)#end Router1#
Here is an alternative method that will also work:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 121 permit tcp any any eq telnet syn Router1(config)#access-list 121 permit tcp any any eq telnet Router1(config)#access-list 121 permit ip any any Router1(config)#interface Serial0/0 Router1(config-if)#ip access-group 121 in Router1(config-if)#end Router1#
When you configure an access list, the router counts the total number of times it finds something that matches each line in the ACL. While this information is often useful, it does not tell you whether these counters are recording a thousand packets on a single session, or a single packet from each of a thousand sessions. The ACLs in this recipe count the number of TCP sessions, as well as the total number of packets.
In the first example, the first line in the ACL permits all established Telnet packets to pass through the access list, as we did in Recipe 19.5. The second line then matches all of the Telnet packets that the first one does not, which mainly means the initial SYN packet that starts the TCP session. As we mentioned in Recipe 19.4, the first packet of a TCP session contains the SYN bit. And, as we discussed in Recipe 19.5, an ACL that includes the established keyword will not match any packets that have the SYN bit set.
So, the second line catches the initial session establishment, while the first line matches all of the other packets in the session. Therefore, the second line will give us a way to count the total number of TCP sessions that pass through the router. Note that these sessions can be between any two devices�as long as they communicate through this router, we can count them. Of course, the ACL in the example counts only Telnet sessions, that is, sessions on TCP port number 23. However, it is easy enough to change the port number in the ACL to monitor other TCP-based applications.
When you apply this ACL to an interface, the show access-list command shows a running count of the number of Telnet sessions that have occurred:
Router1#show access-list 122 Extended IP access list 122 permit tcp any any eq telnet established (3843 matches) permit tcp any any eq telnet (6 matches) permit ip any any (31937 matches) Router1#
Six separate Telnet sessions have passed through the interface where we applied this ACL. If you want to know the total number of Telnet packets, you can simply add the first two lines together: 3843+6=3849 packets.
The second example uses a slightly different method for counting the number of sessions. In this case, the first line of the access list matches only Telnet packets with the SYN bit set, as discussed in Recipe 19.4:
Router1(config)#access-list 121 permit tcp any any eq telnet syn
The only packets that have this bit set are the packets from the initial TCP three-phase handshake that establishes the session. So this also gives us a way of counting the total number of Telnet sessions. The second line of this ACL captures the remaining Telnet packets:
Router1#show access-list 121 Extended IP access list 121 permit tcp any any eq telnet syn (7 matches) permit tcp any any eq telnet (3057 matches) permit ip any any (9404 matches) Router1#
This ACL has counted seven separate Telnet sessions: 7+3057=3064 total Telnet packets.
We can take the counting functionality of these ACLs a step further by adding the log keyword to the ACL lines that count the sessions:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 121 permit tcp any any eq telnet syn log Router1(config)#access-list 121 permit tcp any any eq telnet Router1(config)#access-list 121 permit ip any any Router1(config)#end Router1#
Including the log keyword like this allows us to keep a log of every TCP session, without needing to log all of the packets in these sessions. This can be useful for security records and audits:
Router1#show logging | include list 121
Feb 7 15:36:13: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3886)
-> 10.2.2.2(23), 1 packet
Feb 7 15:36:39: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3887)
-> 10.2.2.2(23), 1 packet
Feb 7 15:38:32: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3888)
-> 10.2.2.2(23), 1 packet
Feb 8 07:48:20: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4332)
-> 10.2.2.2(23), 1 packet
Feb 8 07:49:35: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4333)
-> 10.2.2.2(23), 1 packet
Feb 8 08:08:57: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4339)
-> 10.2.2.2(23), 1 packet
Router1#
For more information about logging, see Chapter 18.
Recipe 19.4; Recipe 19.5; Chapter 18
Top |